Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't get rid of Linksicle


  • This topic is locked This topic is locked
8 replies to this topic

#1 TidesofFate

TidesofFate

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 30 December 2016 - 05:24 PM

I've used a lot of anti-malware programs. A lot of them didn't detect anything and only 3 detected any threats, two PUPs and some cookies for the most part.

It's only shown itself on one page and one word (the website being letswatchstartrek if anyone was curious. It's not a streaming site. Just a site that reviews content). The reason why I know it's Linksicle is because I put my mouse over it, but I did not click it.

I have reset the google chome settings 2 to 3 times.
 
There is no Linksicle extension on the browser.

I don't see any folder for Linksicle nor do I see it when I open up the control panel. It's almost as if it isn't there.

Any help I can get would be appreciated.
 

 

 

 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,545 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:18 AM

Posted 31 December 2016 - 10:20 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Download the version of this tool for your operating system.
Farbar Recovery Scan Tool (64 bit)
Farbar Recovery Scan Tool (32 bit)
and save it to a folder on your computer's Desktop.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.
===


Please post the logs.

Wait for my instructions.

#3 TidesofFate

TidesofFate
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 31 December 2016 - 12:40 PM

Thank you.
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(SurfRight B.V.) C:\Program Files\HitmanPro\hmpsched.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(AMD) C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpertService.exe
(AMD) C:\Program Files (x86)\AMD\RAIDXpert\bin\RAIDXpert.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\FreedomeService.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe
(Microsoft Corporation) C:\Windows\System32\msiexec.exe
() C:\Program Files\Reason\Security\Protection\rscp\bin\rscp_svc.exe
(Reason Software Company Inc.) C:\Program Files\Reason\Security\rsEngineSvc.exe
(Piriform) C:\Program Files (x86)\CCleaner Cloud\CCleanerCloudAgent.exe
(Malwarebytes) C:\Program Files (x86)\Malwarebytes Anti-Malware\mbam.exe
(Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Piriform) C:\Program Files (x86)\CCleaner Cloud\CCleanerCloudTray.exe
(F-Secure Corporation) C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Freedome.exe
(Google) C:\Program Files (x86)\Google\Drive\googledrivesync.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
() C:\Program Files\Reason\Security\Protection\rscp\bin\rscp_bg.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.32.7\GoogleCrashHandler64.exe
(Electronic Arts) C:\Program Files (x86)\Origin\OriginWebHelperService.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Valve Corporation) C:\Program Files (x86)\Steam\Steam.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
(Valve Corporation) C:\Program Files (x86)\Common Files\Steam\SteamService.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(Valve Corporation) C:\Program Files (x86)\Steam\bin\cef\cef.win7\steamwebhelper.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
(AMD) C:\Windows\SysWOW64\WinMsgBalloonServer.exe
(AMD) C:\Windows\SysWOW64\WinMsgBalloonClient.exe
(Microsoft Corporation) C:\Windows\SysWOW64\wbem\WmiPrvSE.exe
(The OpenVPN Project) C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\openvpn.exe
(Reason Software Company Inc.) C:\Program Files\Reason\Security\rsUI.exe
(Google Inc.) C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
 
==================== Registry (Whitelisted) ====================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [13636824 2013-07-26] (Realtek Semiconductor)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [767176 2014-11-17] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [BrStsMon00] => C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe [4513792 2014-05-22] (Brother Industries, Ltd.)
HKLM-x32\...\Run: [PlaysTV] => C:\Program Files (x86)\Raptr Inc\PlaysTV\playstv_launcher.exe [71440 2016-06-06] (Plays.tv, LLC)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [598552 2016-06-22] (Oracle Corporation)
HKLM-x32\...\Run: [CCleanerCloudTray] => C:\Program Files (x86)\CCleaner Cloud\CCleanerCloudTray.exe [2772392 2016-04-04] (Piriform)
HKLM-x32\...\Run: [FreedomeAutoStart] => C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\Freedome.exe [4460000 2016-12-30] (F-Secure Corporation)
HKU\S-1-5-21-1514858351-3292536063-3297741313-1002\...\Run: [Steam] => C:\Program Files (x86)\Steam\steam.exe [2876704 2016-12-19] (Valve Corporation)
HKU\S-1-5-21-1514858351-3292536063-3297741313-1002\...\Run: [EADM] => C:\Program Files (x86)\Origin\Origin.exe [3044848 2016-11-24] (Electronic Arts)
HKU\S-1-5-21-1514858351-3292536063-3297741313-1002\...\Run: [Skype] => C:\Program Files (x86)\Skype\Phone\Skype.exe [27011712 2016-10-17] (Skype Technologies S.A.)
HKU\S-1-5-21-1514858351-3292536063-3297741313-1002\...\Run: [GoogleDriveSync] => C:\Program Files (x86)\Google\Drive\googledrivesync.exe [23818360 2016-11-30] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveBlacklisted] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-11-30] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSynced] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-11-30] (Google)
ShellIconOverlayIdentifiers: [  GoogleDriveSyncing] -> {81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41} => C:\Program Files (x86)\Google\Drive\googledrivesync64.dll [2016-11-30] (Google)
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 198.18.11.133
Tcpip\Parameters: [NameServer] 8.8.8.8,8.8.8.4
Tcpip\..\Interfaces\{3BC5BF5D-ADB9-4326-B3F6-F8829E062758}: [DhcpNameServer] 198.18.11.133
Tcpip\..\Interfaces\{4DF0075E-8D32-4786-B9C0-CBE4E1FA15FF}: [NameServer] Freedome
Tcpip\..\Interfaces\{4DF0075E-8D32-4786-B9C0-CBE4E1FA15FF}: [DhcpNameServer] 10.0.0.1
 
Internet Explorer:
==================
HKU\S-1-5-21-1514858351-3292536063-3297741313-1002\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = hxxp://www.msn.com/?ocid=iehp
SearchScopes: HKU\S-1-5-21-1514858351-3292536063-3297741313-1002 -> {67C334C0-408D-4E6D-B5A7-0ADD6AFFA252} URL = 
BHO: SteadyVideoBHO Class -> {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} -> C:\Program Files\AMD\SteadyVideo\SteadyVideo.dll [2012-02-14] (Advanced Micro Devices)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll => No File
BHO-x32: SteadyVideoBHO Class -> {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} -> C:\Program Files (x86)\amd\SteadyVideo\SteadyVideo.dll [2012-02-14] (Advanced Micro Devices)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\ssv.dll [2016-09-21] (Oracle Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\jp2ssv.dll [2016-09-21] (Oracle Corporation)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll [2011-06-08] (Advanced Micro Devices)
Filter-x32: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\amd\SteadyVideo\VideoMIMEFilter.dll [2011-06-08] (Advanced Micro Devices)
Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll [2011-06-08] (Advanced Micro Devices)
Filter-x32: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\amd\SteadyVideo\VideoMIMEFilter.dll [2011-06-08] (Advanced Micro Devices)
 
FireFox:
========
FF HKLM\...\Firefox\Extensions: [soda_pdf_8_conv@sodapdf.com] - C:\Program Files\Soda PDF 8\resources\sodapdf8firefoxextension => not found
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\dtplugin\npDeployJava1.dll [2016-09-21] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.101.2 -> C:\Program Files (x86)\Java\jre1.8.0_101\bin\plugin2\npjp2.dll [2016-09-21] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> C:\Program Files (x86)\Microsoft Silverlight\5.1.41212.0\npctrl.dll [2015-12-11] ( Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.32.7\npGoogleUpdate3.dll [2016-12-16] (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2016-09-30] (Adobe Systems Inc.)
FF Plugin-x32: Soda PDF 8 -> C:\Program Files (x86)\Soda PDF 8\np-previewer.dll [No File]
 
Chrome: 
=======
CHR Profile: C:\Users\stefan\AppData\Local\Google\Chrome\User Data\Default [2016-12-31]
CHR Extension: (Google Drive) - C:\Users\stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-01-26]
CHR Extension: (YouTube) - C:\Users\stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-01-26]
CHR Extension: (Adblock Plus) - C:\Users\stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2016-10-26]
CHR Extension: (Google Search) - C:\Users\stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2016-01-26]
CHR Extension: (Kindle Cloud Reader) - C:\Users\stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\icdipabjmbhpdkjaihfjoikhjjeneebd [2016-01-26]
CHR Extension: (Chrome Web Store Payments) - C:\Users\stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-07-23]
CHR Extension: (Gmail) - C:\Users\stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-01-26]
CHR Extension: (Chrome Media Router) - C:\Users\stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-15]
CHR HKU\S-1-5-21-1514858351-3292536063-3297741313-1002\SOFTWARE\Google\Chrome\Extensions\...\Chrome\Extension: [lmjegmlicamnimmfhcmpkclmigmmcbeh] - hxxps://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - hxxps://clients2.google.com/service/update2/crx
 
==================== Services (Whitelisted) ====================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-22] (SUPERAntiSpyware.com)
R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [344064 2014-11-17] (Advanced Micro Devices, Inc.) [File not signed]
S3 BRSptStub; C:\ProgramData\BitRaider\BRSptStub.exe [746648 2016-05-16] (BitRaider, LLC)
S3 BrYNSvc; C:\Program Files (x86)\Browny02\BrYNSvc.exe [282112 2013-09-25] (Brother Industries, Ltd.) [File not signed]
R2 CCleanerCloudAgentService; C:\Program Files (x86)\CCleaner Cloud\CCleanerCloudAgent.exe [18619304 2016-04-04] (Piriform)
R2 Freedome Service; C:\Program Files (x86)\F-Secure\Freedome\Freedome\1\FreedomeService.exe [515552 2016-12-30] (F-Secure Corporation)
R2 HitmanProScheduler; C:\Program Files\HitmanPro\hmpsched.exe [135496 2016-12-30] (SurfRight B.V.)
R2 MBAMScheduler; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamscheduler.exe [1514464 2016-03-10] (Malwarebytes)
R2 MBAMService; C:\Program Files (x86)\Malwarebytes Anti-Malware\mbamservice.exe [1136608 2016-03-10] (Malwarebytes)
S3 Origin Client Service; C:\Program Files (x86)\Origin\OriginClientService.exe [2119688 2016-11-24] (Electronic Arts)
R2 Origin Web Helper Service; C:\Program Files (x86)\Origin\OriginWebHelperService.exe [2180624 2016-11-24] (Electronic Arts)
S2 PlaysService; C:\Program Files (x86)\Raptr Inc\PlaysTV\plays_service.exe [32528 2016-06-06] (Plays.tv, LLC)
R2 rscp; C:\Program Files\Reason\Security\Protection\rscp\bin\rscp_svc.exe [254232 2016-12-30] ()
R2 rsEngineSvc; C:\Program Files\Reason\Security\rsEngineSvc.exe [89880 2016-09-29] (Reason Software Company Inc.)
S4 Soda PDF 8; C:\Program Files\Soda PDF 8\ws.exe [2263504 2016-08-26] (LULU SOFTWARE LIMITED)
S4 Soda PDF 8 CrashHandler; C:\Program Files\Soda PDF 8\crash-handler-ws.exe [920016 2016-08-26] (LULU SOFTWARE LIMITED)
S4 Soda PDF 8 Creator; C:\Program Files\Soda PDF 8\creator-ws.exe [733136 2016-08-26] (LULU SOFTWARE LIMITED)
S4 Soda PDF 8 Manager; C:\ProgramData\LULU Software\Soda PDF 8 Manager\Soda PDF 8\Soda Manager.exe [887800 2016-04-19] (LULU Software Limited)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-13] (Microsoft Corporation)
 
===================== Drivers (Whitelisted) ======================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 AODDriver4.3; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\amd64\AODDriver2.sys [59616 2014-02-11] (Advanced Micro Devices)
R3 fsfreedometap; C:\Windows\System32\DRIVERS\fsfreedometap.sys [34344 2016-12-30] (The OpenVPN Project)
R3 MBAMProtector; C:\Windows\system32\drivers\mbam.sys [27008 2016-03-10] (Malwarebytes)
R3 MBAMSwissArmy; C:\Windows\system32\drivers\MBAMSwissArmy.sys [192216 2016-12-31] (Malwarebytes)
R3 MBAMWebAccessControl; C:\Windows\system32\drivers\mwac.sys [64896 2016-03-10] (Malwarebytes Corporation)
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 ZAM; C:\Windows\System32\drivers\zam64.sys [203680 2016-12-30] (Zemana Ltd.)
R1 ZAM_Guard; C:\Windows\System32\drivers\zamguard64.sys [203680 2016-12-30] (Zemana Ltd.)
U0 aswVmm; no ImagePath
S3 BRDriver64_1_4_0_5C00A8AF; \??\C:\ProgramData\Bitraider\support\1.4.0\5C00A8AF\BRDriver64.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)
 
 
==================== One Month Created files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-12-31 09:32 - 2016-12-31 09:32 - 00016316 _____ C:\Users\stefan\Downloads\FRST.txt
2016-12-31 09:32 - 2016-12-31 09:32 - 00000000 ____D C:\Users\stefan\Desktop\Folder
2016-12-31 09:29 - 2016-12-31 09:32 - 00000000 ____D C:\FRST
2016-12-30 17:20 - 2016-12-30 17:20 - 00189230 _____ C:\Windows\ntbtlog.txt
2016-12-30 15:55 - 2016-12-30 15:55 - 00034344 _____ (The OpenVPN Project) C:\Windows\system32\Drivers\fsfreedometap.sys
2016-12-30 15:55 - 2016-12-30 15:55 - 00002310 _____ C:\Users\Public\Desktop\Freedome.lnk
2016-12-30 15:55 - 2016-12-30 15:55 - 00000000 ____D C:\Users\stefan\AppData\Local\F-Secure
2016-12-30 15:55 - 2016-12-30 15:55 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Freedome
2016-12-30 15:55 - 2016-12-30 15:55 - 00000000 ____D C:\ProgramData\F-Secure
2016-12-30 15:55 - 2016-12-30 15:55 - 00000000 ____D C:\Program Files (x86)\F-Secure
2016-12-30 15:54 - 2016-12-30 15:54 - 40384992 _____ (F-Secure Corporation) C:\Users\stefan\Downloads\Freedome.exe
2016-12-30 15:49 - 2016-12-31 09:32 - 00062637 _____ C:\Windows\ZAM.krnl.trace
2016-12-30 15:49 - 2016-12-31 09:32 - 00033926 _____ C:\Windows\ZAM_Guard.krnl.trace
2016-12-30 15:39 - 2016-12-30 15:39 - 00003296 _____ C:\Windows\System32\Tasks\CCleaner Cloud Update
2016-12-30 15:39 - 2016-12-30 15:39 - 00003074 _____ C:\Windows\System32\Tasks\CCleaner Cloud Watchdog
2016-12-30 15:39 - 2016-12-30 15:39 - 00000000 ____D C:\ProgramData\Piriform
2016-12-30 15:39 - 2016-12-30 15:39 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner Cloud
2016-12-30 15:39 - 2016-12-30 15:39 - 00000000 ____D C:\Program Files (x86)\CCleaner Cloud
2016-12-30 15:38 - 2016-12-30 15:38 - 06508544 _____ C:\Users\stefan\Downloads\agent_installer.msi
2016-12-30 15:13 - 2016-12-30 15:13 - 00388608 _____ (Trend Micro Inc.) C:\Users\stefan\Downloads\HijackThis.exe
2016-12-30 14:58 - 2016-12-30 14:58 - 00001077 _____ C:\Users\Public\Desktop\Revo Uninstaller Pro.lnk
2016-12-30 14:58 - 2016-12-30 14:58 - 00000000 ____D C:\Users\stefan\AppData\Local\VS Revo Group
2016-12-30 14:58 - 2016-12-30 14:58 - 00000000 ____D C:\ProgramData\VS Revo Group
2016-12-30 14:58 - 2016-12-30 14:58 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Revo Uninstaller Pro
2016-12-30 14:58 - 2016-12-30 14:58 - 00000000 ____D C:\Program Files\VS Revo Group
2016-12-30 14:58 - 2016-12-21 14:52 - 00040240 _____ (VS Revo Group) C:\Windows\system32\Drivers\revoflt.sys
2016-12-30 14:57 - 2016-12-30 14:58 - 11523496 _____ (VS Revo Group ) C:\Users\stefan\Downloads\RevoUninProSetup.exe
2016-12-30 14:28 - 2016-12-30 14:28 - 00752296 _____ C:\Users\stefan\Downloads\Adware Removal Tool by TSA.exe
2016-12-30 14:28 - 2016-12-30 14:28 - 00290304 _____ (Microsoft Corporation) C:\Windows\SysWOW64\subinacl.exe
2016-12-30 14:28 - 2016-12-30 14:28 - 00000000 ____D C:\Program Files (x86)\Adware Removal Tool by TSA
2016-12-30 14:20 - 2016-12-30 14:21 - 06253640 _____ (AVAST Software) C:\Users\stefan\Downloads\avast_free_antivirus_setup_online_cnet_2 (1).exe
2016-12-30 13:20 - 2016-12-30 13:20 - 00000000 ____D C:\ProgramData\Reason
2016-12-30 13:18 - 2016-12-30 13:58 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Reason Core Security
2016-12-30 13:18 - 2016-12-30 13:58 - 00000000 ____D C:\Program Files\Reason
2016-12-30 13:18 - 2016-12-30 13:18 - 00000903 _____ C:\Users\Public\Desktop\Reason Core Security.lnk
2016-12-30 13:17 - 2016-12-30 13:17 - 06406240 _____ (Reason Software Company Inc.) C:\Users\stefan\Downloads\reason-core-security-setup.exe
2016-12-30 12:37 - 2016-12-30 19:52 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Anvisoft
2016-12-30 12:37 - 2016-12-30 19:52 - 00000000 ____D C:\Program Files (x86)\Anvisoft
2016-12-30 12:37 - 2016-12-30 12:37 - 09394344 _____ (Anvisoft) C:\Users\stefan\Downloads\astsetup.exe
2016-12-30 12:37 - 2016-12-30 12:37 - 00000000 ____D C:\Users\stefan\AppData\Local\Anvisoft
2016-12-30 12:26 - 2016-12-30 12:26 - 01663040 _____ (Malwarebytes) C:\Users\stefan\Downloads\JRT.exe
2016-12-30 12:13 - 2016-12-30 13:58 - 00000000 ____D C:\Users\stefan\AppData\Local\Zemana
2016-12-30 12:13 - 2016-12-30 12:13 - 05227968 _____ (Zemana Ltd.) C:\Users\stefan\Downloads\Zemana.AntiMalware.Portable.exe
2016-12-30 12:13 - 2016-12-30 12:13 - 00203680 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zamguard64.sys
2016-12-30 12:13 - 2016-12-30 12:13 - 00203680 _____ (Zemana Ltd.) C:\Windows\system32\Drivers\zam64.sys
2016-12-30 12:04 - 2016-12-30 13:58 - 00000000 ____D C:\EEK
2016-12-30 12:03 - 2016-12-30 12:04 - 281520256 _____ C:\Users\stefan\Downloads\EmsisoftEmergencyKit.exe
2016-12-30 11:59 - 2016-12-30 13:58 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
2016-12-30 11:59 - 2016-12-30 13:58 - 00000000 ____D C:\Program Files\HitmanPro
2016-12-30 11:59 - 2016-12-30 11:59 - 00001897 _____ C:\Users\Public\Desktop\HitmanPro.lnk
2016-12-30 11:58 - 2016-12-30 12:02 - 00000000 ____D C:\ProgramData\HitmanPro
2016-12-30 11:53 - 2016-12-30 11:58 - 11581544 _____ (SurfRight B.V.) C:\Users\stefan\Downloads\hitmanpro_x64.exe
2016-12-30 11:39 - 2016-12-30 11:39 - 03977168 _____ C:\Users\stefan\Downloads\adwcleaner_6.041.exe
2016-12-29 07:57 - 2016-12-29 07:57 - 00000221 _____ C:\Users\stefan\Desktop\Mass Effect.url
2016-12-28 20:25 - 2016-12-28 20:27 - 890284032 _____ (BioWare) C:\Users\stefan\Downloads\MassEffect_BDtS_EFIGS.exe
2016-12-25 15:07 - 2016-12-25 15:07 - 00802993 _____ C:\Users\stefan\Downloads\Garberville%2c CA to Kelso%2c WA Directions - MapQuest.pdf
2016-12-13 07:50 - 2016-12-13 07:50 - 00000000 ____D C:\Users\stefan\AppData\Local\Chromium
2016-12-06 13:29 - 2016-12-06 13:29 - 00011473 _____ C:\Users\stefan\Documents\Road to War questions.abw
2016-12-05 15:08 - 2016-12-05 15:08 - 00010595 _____ C:\Users\stefan\Documents\Hamlet essay.abw
2016-12-02 22:20 - 2016-12-02 22:20 - 86990570 _____ C:\Users\stefan\Documents\TNG 4 25.abw
 
==================== One Month Modified files and folders ========
 
(If an entry is included in the fixlist, the file/folder will be moved.)
 
2016-12-31 09:29 - 2016-01-26 10:44 - 00000000 ____D C:\Program Files (x86)\Steam
2016-12-31 09:28 - 2016-09-23 09:05 - 00000892 _____ C:\Windows\Tasks\Adobe Flash Player PPAPI Notifier.job
2016-12-31 09:25 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\security
2016-12-31 09:24 - 2016-01-26 10:56 - 00000000 ____D C:\Users\stefan\AppData\Roaming\Skype
2016-12-31 09:24 - 2016-01-26 10:51 - 00000000 ____D C:\ProgramData\Origin
2016-12-31 09:24 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\system32\NDF
2016-12-31 09:23 - 2016-01-26 13:30 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2016-12-31 09:22 - 2009-07-13 21:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-12-30 23:09 - 2016-03-29 11:36 - 00000000 ____D C:\AdwCleaner
2016-12-30 23:09 - 2009-07-13 20:45 - 00010320 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-12-30 23:09 - 2009-07-13 20:45 - 00010320 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-12-30 22:46 - 2009-07-13 21:13 - 00781298 _____ C:\Windows\system32\PerfStringBackup.INI
2016-12-30 22:46 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\inf
2016-12-30 22:19 - 2016-09-23 09:05 - 00000830 _____ C:\Windows\Tasks\Adobe Flash Player Updater.job
2016-12-30 20:45 - 2016-11-06 10:57 - 00000000 ____D C:\Users\stefan\AbiSuite
2016-12-30 20:01 - 2016-01-26 10:55 - 00000000 ____D C:\Users\stefan\AppData\Roaming\Origin
2016-12-30 16:49 - 2016-05-08 20:04 - 00000000 ____D C:\Program Files\Soda PDF 8
2016-12-30 15:49 - 2016-07-14 19:04 - 00000000 ____D C:\ProgramData\AVAST Software
2016-12-30 15:41 - 2016-01-25 14:09 - 00000000 ____D C:\Windows\Panther
2016-12-30 15:13 - 2016-01-26 10:21 - 00000000 ____D C:\Users\stefan\AppData\Local\VirtualStore
2016-12-30 13:59 - 2016-01-26 10:21 - 00000000 ____D C:\Users\stefan
2016-12-30 13:58 - 2016-07-23 10:10 - 00000000 ____D C:\Program Files\SUPERAntiSpyware
2016-12-30 13:58 - 2016-07-14 19:06 - 00000000 ____D C:\Windows\System32\Tasks\AVAST Software
2016-12-30 13:58 - 2016-03-08 19:54 - 00000000 ____D C:\Users\stefan\AppData\Roaming\BANDISOFT
2016-12-30 13:58 - 2016-01-26 13:21 - 00000000 ____D C:\Users\stefan\Documents\BioWare
2016-12-30 13:58 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\registration
2016-12-30 13:58 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\AppCompat
2016-12-30 12:27 - 2016-07-11 11:47 - 00000000 ____D C:\a
2016-12-28 20:31 - 2016-01-26 10:51 - 00000000 ____D C:\ProgramData\Electronic Arts
2016-12-24 17:41 - 2016-03-08 19:53 - 00000000 ____D C:\Users\stefan\Documents\Bandicam
2016-12-23 14:16 - 2016-01-26 10:51 - 00000000 ____D C:\Program Files (x86)\Origin
2016-12-21 12:46 - 2016-03-01 20:24 - 00000000 ____D C:\Users\stefan\AppData\LocalLow\Temp
2016-12-17 13:43 - 2016-08-15 21:46 - 00002182 _____ C:\Users\stefan\Desktop\Kindle.lnk
2016-12-16 13:52 - 2016-03-01 12:13 - 00002042 _____ C:\Users\Public\Desktop\Google Slides.lnk
2016-12-16 13:52 - 2016-03-01 12:13 - 00002040 _____ C:\Users\Public\Desktop\Google Sheets.lnk
2016-12-16 13:52 - 2016-03-01 12:13 - 00002030 _____ C:\Users\Public\Desktop\Google Docs.lnk
2016-12-16 13:52 - 2016-03-01 12:13 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Drive
2016-12-16 13:45 - 2016-01-26 10:22 - 00003330 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2016-12-16 13:45 - 2016-01-26 10:22 - 00003202 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2016-12-15 08:46 - 2016-09-23 09:30 - 00002195 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
2016-12-15 08:46 - 2016-09-23 09:30 - 00002183 _____ C:\Users\Public\Desktop\Google Chrome.lnk
2016-12-14 09:18 - 2016-01-26 10:45 - 00000000 ____D C:\Users\stefan\AppData\Local\Steam
2016-12-13 22:19 - 2016-09-23 09:05 - 00802904 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2016-12-13 22:19 - 2016-09-23 09:05 - 00144472 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2016-12-13 22:19 - 2016-09-23 09:05 - 00003886 _____ C:\Windows\System32\Tasks\Adobe Flash Player PPAPI Notifier
2016-12-13 22:19 - 2016-09-23 09:05 - 00003768 _____ C:\Windows\System32\Tasks\Adobe Flash Player Updater
2016-12-13 22:19 - 2016-09-23 09:05 - 00000000 ____D C:\Windows\system32\Macromed
2016-12-13 22:19 - 2016-07-11 11:47 - 00000000 ____D C:\Windows\SysWOW64\Macromed
2016-12-11 19:10 - 2016-07-23 10:10 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
 
==================== Files in the root of some directories =======
 
2016-07-11 11:47 - 2016-07-11 11:47 - 19397312 _____ (Adobe Systems Incorporated) C:\Users\stefan\AppData\Local\install_flash_player_21_active_x.exe
2016-07-11 11:47 - 2016-07-11 11:47 - 0000000 _____ () C:\Users\stefan\AppData\Local\run.txt
2016-07-11 11:48 - 2016-07-11 11:48 - 0000001 _____ () C:\Users\stefan\AppData\Local\setupsuccessful.txt
2016-07-11 11:47 - 2016-07-11 11:48 - 0000000 _____ () C:\Users\stefan\AppData\Local\stxtname.txt
2016-07-13 20:42 - 2016-07-13 20:42 - 0000000 _____ () C:\Users\stefan\AppData\Local\{042AD45E-4BC7-4DB5-9422-4EF0A135CA1D}
2016-01-25 22:10 - 2016-01-25 22:10 - 0000000 ____H () C:\ProgramData\DP45977C.lfl
 
Some files in TEMP:
====================
C:\Users\user\AppData\Local\Temp\ChCfg.exe
C:\Users\user\AppData\Local\Temp\mfc80u.dll
C:\Users\user\AppData\Local\Temp\msvcp80.dll
C:\Users\user\AppData\Local\Temp\msvcr80.dll
C:\Users\user\AppData\Local\Temp\RtlExUpd.dll
C:\Users\user\AppData\Local\Temp\Setup.exe
 
 
==================== Bamital & volsnap ======================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed
 
LastRegBack: 2016-12-24 12:58
 
==================== End of FRST.txt ============================

Attached Files



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,545 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:18 AM

Posted 01 January 2017 - 09:05 AM

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.

Please copy the entire contents of the code box below to a new file.
 
Start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

SearchScopes: HKU\S-1-5-21-1514858351-3292536063-3297741313-1002 -> {67C334C0-408D-4E6D-B5A7-0ADD6AFFA252} URL =
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll => No File
FF Plugin-x32: Soda PDF 8 -> C:\Program Files (x86)\Soda PDF 8\np-previewer.dll [No File]	
CHR Extension: (Chrome Web Store Payments) - C:\Users\stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-07-23]
CHR Extension: (Chrome Media Router) - C:\Users\stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-15]
U0 aswVmm; no ImagePath
S3 BRDriver64_1_4_0_5C00A8AF; \??\C:\ProgramData\Bitraider\support\1.4.0\5C00A8AF\BRDriver64.sys [X]

Reboot:

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the LogFile button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

If the problem persists run this tool.

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.

You can manually check your present version and update as recommended.
https://www.java.com/en/download/installed.jsp

Be careful not to install malware posing as Java update!
Important read this blog.
http://blog.trendmicro.com/trendlabs-security-intelligence/malware-poses-as-an-update-for-java-0-day-fix/

Quoted from the page.
"In light of the recent events surrounding Java, users must seriously consider their use of Java. Do they really need it? If yes, make sure that users follow the steps we recommended and get the security update directly from the official oracle website." at:
http://www.oracle.com/technetwork/java/javase/downloads/index.html

How to disable Java in your browsers
http://www.infoworld.com/t/web-browsers/how-disable-java-in-your-browsers-210882

If still present after the update you can remove the old version(s) of Java via the Control Panel > Programs and Features.
Java 8 Update 101 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F32180101F0}) (Version: 8.0.1010.13 - Oracle Corporation)
===

Please pos the logs let me know what problem persists with this computer.

#5 TidesofFate

TidesofFate
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 01 January 2017 - 11:43 AM

The word on that one page I mentioned is still highlighted in green.
  Thank you for your help so far though.


Also, do I actually need Java? Can I uninstall it?

This is from Report Rogue
 
RogueKiller V12.9.0.0 (x64) [Dec 26 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : stefan [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 01/01/2017 08:17:04 (Duration : 00:13:14)
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 6 ¤¤¤
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\Interfaces\{3BC5BF5D-ADB9-4326-B3F6-F8829E062758} | DhcpNameServer : 198.18.50.137 ([X])  -> Found
[PUM.Dns] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Tcpip\Parameters\Interfaces\{3BC5BF5D-ADB9-4326-B3F6-F8829E062758} | DhcpNameServer : 198.18.50.137 ([X])  -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {C944A6D6-EA52-463B-8793-9274A0F69DC1} : v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\Users\stefan\AppData\Local\Apps\2.0\3VD4REBD.688\H1DZNEGD.C2Y\blee..tion_77e1dafb7459f666_0001.0000_8776ab021f75b0d7\Bleep.exe|Name=BitTorrent Bleep| [7] -> Found
[Suspicious.Path] (X64) HKEY_LOCAL_MACHINE\System\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules | {C944A6D6-EA52-463B-8793-9274A0F69DC1} : v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\Users\stefan\AppData\Local\Apps\2.0\3VD4REBD.688\H1DZNEGD.C2Y\blee..tion_77e1dafb7459f666_0001.0000_8776ab021f75b0d7\Bleep.exe|Name=BitTorrent Bleep| [7] -> Found
[PUM.StartMenu] (X64) HKEY_USERS\S-1-5-21-1514858351-3292536063-3297741313-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
[PUM.StartMenu] (X86) HKEY_USERS\S-1-5-21-1514858351-3292536063-3297741313-1002\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowMyGames : 0  -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 0 ¤¤¤
 
¤¤¤ WMI : 0 ¤¤¤
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: WDC WD5000AAKS-00TMA0 ATA Device +++++
--- User ---
[MBR] d8572ee3d59ca60f995a68cf1c8b8580
[BSP] 5a405a53bd8b6e41f97a66a17bd1d7f1 : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 476937 MB [Windows XP Bootstrap | Windows XP Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 
+++++ PhysicalDrive1: SanDisk SDSSDXPS240G ATA Device +++++
--- User ---
[MBR] b14e6b8c4b16b5f1f34b9fe0a386374d
[BSP] 562e930b8901a4c67d3aa3c7cfac5160 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 206848 | Size: 228834 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK
 
 
Adwcleaner
 

# AdwCleaner v6.041 - Logfile created 01/01/2017 at 07:50:28
# Updated on 16/12/2016 by Malwarebytes
# Database : 2016-12-29.2 [Local]
# Operating System : Windows 7 Professional Service Pack 1 (X64)
# Username : stefan - USER-PC
# Running from : C:\Users\stefan\Desktop\adwcleaner_6.041.exe
# Mode: Scan
# Support : https://www.malwarebytes.com/support
 
 
 
***** [ Services ] *****
 
No malicious services found.
 
 
***** [ Folders ] *****
 
No malicious folders found.
 
 
***** [ Files ] *****
 
No malicious files found.
 
 
***** [ DLL ] *****
 
No malicious DLLs found.
 
 
***** [ WMI ] *****
 
No malicious keys found.
 
 
***** [ Shortcuts ] *****
 
No infected shortcut found.
 
 
***** [ Scheduled Tasks ] *****
 
No malicious task found.
 
 
***** [ Registry ] *****
 
No malicious registry entries found.
 
 
***** [ Web browsers ] *****
 
No malicious Firefox based browser items found.
No malicious Chromium based browser items found.
 
*************************
 
C:\AdwCleaner\AdwCleaner[C1].txt - [2368 Bytes] - [29/03/2016 11:38:27]
C:\AdwCleaner\AdwCleaner[C2].txt - [1623 Bytes] - [30/12/2016 11:42:04]
C:\AdwCleaner\AdwCleaner[C3].txt - [1662 Bytes] - [30/12/2016 20:02:42]
C:\AdwCleaner\AdwCleaner[C4].txt - [1654 Bytes] - [30/12/2016 22:39:32]
C:\AdwCleaner\AdwCleaner[C5].txt - [2404 Bytes] - [31/12/2016 21:07:46]
C:\AdwCleaner\AdwCleaner[C6].txt - [2323 Bytes] - [31/12/2016 21:14:48]
C:\AdwCleaner\AdwCleaner[S10].txt - [2486 Bytes] - [31/12/2016 20:32:57]
C:\AdwCleaner\AdwCleaner[S11].txt - [2423 Bytes] - [31/12/2016 21:14:38]
C:\AdwCleaner\AdwCleaner[S12].txt - [2408 Bytes] - [31/12/2016 21:17:22]
C:\AdwCleaner\AdwCleaner[S13].txt - [2482 Bytes] - [31/12/2016 21:27:20]
C:\AdwCleaner\AdwCleaner[S14].txt - [2556 Bytes] - [31/12/2016 21:49:27]
C:\AdwCleaner\AdwCleaner[S15].txt - [2630 Bytes] - [31/12/2016 21:52:11]
C:\AdwCleaner\AdwCleaner[S16].txt - [2704 Bytes] - [31/12/2016 21:56:28]
C:\AdwCleaner\AdwCleaner[S17].txt - [2778 Bytes] - [31/12/2016 22:02:51]
C:\AdwCleaner\AdwCleaner[S18].txt - [2852 Bytes] - [01/01/2017 00:32:01]
C:\AdwCleaner\AdwCleaner[S19].txt - [2926 Bytes] - [01/01/2017 07:43:36]
C:\AdwCleaner\AdwCleaner[S1].txt - [2146 Bytes] - [29/03/2016 11:36:40]
C:\AdwCleaner\AdwCleaner[S20].txt - [2262 Bytes] - [01/01/2017 07:50:28]
C:\AdwCleaner\AdwCleaner[S2].txt - [4010 Bytes] - [16/07/2016 08:43:15]
C:\AdwCleaner\AdwCleaner[S3].txt - [1716 Bytes] - [30/12/2016 11:41:18]
C:\AdwCleaner\AdwCleaner[S4].txt - [1530 Bytes] - [30/12/2016 13:18:31]
C:\AdwCleaner\AdwCleaner[S5].txt - [1761 Bytes] - [30/12/2016 20:02:18]
C:\AdwCleaner\AdwCleaner[S6].txt - [1749 Bytes] - [30/12/2016 21:02:31]
C:\AdwCleaner\AdwCleaner[S7].txt - [1822 Bytes] - [30/12/2016 22:39:19]
C:\AdwCleaner\AdwCleaner[S8].txt - [1968 Bytes] - [30/12/2016 23:09:07]
C:\AdwCleaner\AdwCleaner[S9].txt - [2041 Bytes] - [31/12/2016 17:52:10]
 
########## EOF - C:\AdwCleaner\AdwCleaner[S20].txt - [2920 Bytes] ##########

 

 

 

 

Here is the Fixlog

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 01-01-2017
Ran by stefan (01-01-2017 10:25:06) Run:1
Running from C:\Users\stefan\Desktop\Folder
Loaded Profiles: stefan (Available Profiles: user & stefan)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
Start
 
CreateRestorePoint:
EmptyTemp:
CloseProcesses:
 
SearchScopes: HKU\S-1-5-21-1514858351-3292536063-3297741313-1002 -> {67C334C0-408D-4E6D-B5A7-0ADD6AFFA252} URL =
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll => No File
FF Plugin-x32: Soda PDF 8 -> C:\Program Files (x86)\Soda PDF 8\np-previewer.dll [No File]
CHR Extension: (Chrome Web Store Payments) - C:\Users\stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-07-23]
CHR Extension: (Chrome Media Router) - C:\Users\stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm [2016-12-15]
U0 aswVmm; no ImagePath
S3 BRDriver64_1_4_0_5C00A8AF; \??\C:\ProgramData\Bitraider\support\1.4.0\5C00A8AF\BRDriver64.sys [X]
 
Reboot:
 
End
*****************
 
Restore point was successfully created.
Processes closed successfully.
HKU\S-1-5-21-1514858351-3292536063-3297741313-1002\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{67C334C0-408D-4E6D-B5A7-0ADD6AFFA252} => key removed successfully
HKCR\CLSID\{67C334C0-408D-4E6D-B5A7-0ADD6AFFA252} => key not found. 
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\00avast => key removed successfully
HKCR\CLSID\{472083B0-C522-11CF-8763-00608CC02F24} => key not found. 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8E5E2654-AD2D-48bf-AC2D-D17F00898D06} => key removed successfully
HKCR\CLSID\{8E5E2654-AD2D-48bf-AC2D-D17F00898D06} => key not found. 
HKLM\Software\Wow6432Node\MozillaPlugins\Soda PDF 8 => key removed successfully
C:\Users\stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => not found
C:\Users\stefan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pkedcjkdefgpdelpbcmbmeomcjbeemfm => not found
HKLM\System\CurrentControlSet\Services\aswVmm => key removed successfully
aswVmm => service removed successfully
HKLM\System\CurrentControlSet\Services\BRDriver64_1_4_0_5C00A8AF => key removed successfully
BRDriver64_1_4_0_5C00A8AF => service removed successfully
 
=========== EmptyTemp: ==========
 
BITS transfer queue => 8388608 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 16987155 B
Java, Flash, Steam htmlcache => 505682076 B
Windows/system/drivers => 1324125 B
Edge => 0 B
Chrome => 75656322 B
Firefox => 11305751 B
Opera => 0 B
 
Temp, IE cache, history, cookies, recent:
Users => 0 B
Default => 0 B
Public => 0 B
ProgramData => 0 B
systemprofile => 66228 B
systemprofile32 => 164955 B
LocalService => 66228 B
NetworkService => 0 B
user => 194276132 B
stefan => 6335720076 B
 
RecycleBin => 1507 B
EmptyTemp: => 6.7 GB temporary data Removed.
 
================================
 
 
The system needed a reboot.
 
==== End of Fixlog 10:28:30 ====

Edited by TidesofFate, 01 January 2017 - 01:36 PM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,545 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:18 AM

Posted 01 January 2017 - 02:37 PM

You can get the latest version of Java.

Remove the old version.

You can then disable it as per my previous instructions on java.

Of you can just uninstall the application.

===

Temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zoek tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Next, copy/paste the entire script inside the code box below to the input field of Zoek:
createsrpoint;
autoclean;
emptyclsid;
emptyffcache;
FFdefaults;
emptyiecache;
iedefaults;
emptychrcache;
CHRdefaults;
emptyalltemp;
emptyfolderscheck;delete
ipconfig /flushdns;b
Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.

Please attach the zoek-results.log in your reply.
===

Also, please provide an update on how the computer is behaving after running the above script.

#7 TidesofFate

TidesofFate
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 01 January 2017 - 06:45 PM

So I can just uninstall Java and it'll be fine right?
 
As for Neok, it seems to have just stopped. It's been more than a few minutes and it hasn't added anything new. What is the issue?
 Here is what I have so far. I disabled the Internet on purpose just so you know. I only enable it when I need to copy and paste here or download something.
 
Zoek.exe v5.0.0.1 Updated 27-09-2015
Tool run by stefan on Sun 01/01/2017 at 14:41:53.35.
Microsoft Windows 7 Professional  6.1.7601 Service Pack 1 x64
Running in: Normal Mode No Internet Access Detected
Launched: C:\Users\stefan\Desktop\zoek.exe [Scan all users] [Script inserted] 
 
===== Runcheck 14:42:45.71 =====
 
--- Create Environment Variables 14:42:46.92 
--- Create System Restore Point 14:42:53.36 
--- Checking Input 14:43:00.29 
--- AU AppData Check 14:43:07.65 
--- Remove From Windows Installer 14:43:10.21 
--- Empty Folders Check 14:44:29.63 
--- Registry HKLM Software Check 14:44:29.64 
--- Quick Launch Shortcut Check 14:44:40.43 
--- IE Startpage Check 14:44:44.46 
--- Program Files DB Check 14:45:03.28 
--- C:\Users\Default\AppData\Roaming DB Check 14:45:51.54 
--- C:\Users\Default User\AppData\Roaming DB Check 14:45:51.54 
--- C:\Users\stefan\AppData\Roaming DB Check 14:45:51.54 
--- C:\Users\user\AppData\Roaming DB Check 14:45:51.54 
--- C:\Windows\SysNative\config\systemprofile\AppData\Roaming DB Check 14:45:51.54 
--- C:\Windows\sysWoW64\config\systemprofile\AppData\Roaming DB Check 14:45:51.54 
--- C:\Windows\serviceprofiles\networkservice\AppData\Roaming DB Check 14:45:51.54 
--- C:\Windows\serviceprofiles\Localservice\AppData\Roaming DB Check 14:45:51.54 
--- C:\Users\stefan DB Check 14:48:34.05 
--- C:\PROGRA~3 DB Check 14:48:51.97 
--- C:\Users\Default\AppData\Local DB Check 14:48:57.13 
--- C:\Users\Default User\AppData\Local DB Check 14:48:57.13 
--- C:\Users\stefan\AppData\Local DB Check 14:48:57.13 
--- C:\Users\user\AppData\Local DB Check 14:48:57.13 
--- C:\Windows\SysNative\config\systemprofile\AppData\Local DB Check 14:48:57.13 
--- C:\Windows\sysWoW64\config\systemprofile\AppData\Local DB Check 14:48:57.13 
--- C:\Windows\serviceprofiles\networkservice\AppData\Local DB Check 14:48:57.13 
--- C:\Windows\serviceprofiles\Localservice\AppData\Local DB Check 14:48:57.13 
--- C:\ProgramData\Microsoft\Windows\Start Menu\Programs DB Check 14:50:48.84 
--- C:\Users\stefan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs DB Check 14:50:59.25 
--- Tasks DB Check 14:51:05.94 
--- Downloads DB Check 14:51:10.07 
--- C:\Users\stefan\AppData\LocalLow DB Check 14:51:14.49 
--- C:\Users\user\AppData\LocalLow DB Check 14:51:14.49 
--- C:\Windows\SysNative\config\systemprofile\AppData\LocalLow DB Check 14:51:14.49 
--- C:\Windows\sysWoW64\config\systemprofile\AppData\LocalLow DB Check 14:51:14.49 
--- C:\Windows\serviceprofiles\networkservice\AppData\LocalLow DB Check 14:51:14.49 
--- C:\Windows\serviceprofiles\Localservice\AppData\LocalLow DB Check 14:51:14.49 
--- Tasks2 DB Check 14:52:18.64 
--- Documents DB Check 14:52:52.72 
--- C:\Users\stefan\AppData\Roaming\Mozilla\Firefox\Profiles\4tg1onnz.default DB Check 14:53:02.23 
--- C:\Users\Public\Desktop DB Check 14:53:04.85 
--- C:\Users\stefan\Desktop DB Check 14:53:10.73 
--- Services DB Check 14:53:20.80 
--- FF prefs.js DB Check 14:53:47.95 
--- Emptyclsid 14:54:32.26 
--- Del by CLSID 14:54:34.09 
--- Delete Services 14:55:04.74 
--- Firefox Fix 14:55:06.90 
--- Batch Commands 14:55:08.15 
--- Delete files\folders 14:55:08.26 
--- Create Backups 14:55:08.38 
--- Firefox Extensions 14:55:11.73 

Edited by TidesofFate, 01 January 2017 - 07:19 PM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,545 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:18 AM

Posted 02 January 2017 - 08:22 AM

Please run the Roguekiller tool and this time clean everything.
The default settings will be used.

===

The Zoek log shows that you do not have Internet Access.
Running in: Normal Mode No Internet Access Detected

Can you make sure that you have a connection and run the fix again.

Post the logs for my review.

#9 TidesofFate

TidesofFate
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 02 January 2017 - 03:54 PM

I had the internet disconnected on purpose just to make sure nothing would come through.

 

I gave up and decided to buy Windows 10. I thought about buying it anyway. I backed up everything I cared about backing up and that was it.

 

Thank you for the help anyway.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users